<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" lang="" xml:lang=""> <head> <meta charset="utf-8" /> <meta name="generator" content="pandoc" /> <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" /> <title>-</title> <style> html { line-height: 1.5; font-family: Georgia, serif; font-size: 20px; color: #1a1a1a; background-color: #fdfdfd; } body { margin: 0 auto; max-width: 36em; padding-left: 50px; padding-right: 50px; padding-top: 50px; padding-bottom: 50px; hyphens: auto; overflow-wrap: break-word; text-rendering: optimizeLegibility; font-kerning: normal; } @media (max-width: 600px) { body { font-size: 0.9em; padding: 1em; } h1 { font-size: 1.8em; } } @media print { body { background-color: transparent; color: black; font-size: 12pt; } p, h2, h3 { orphans: 3; widows: 3; } h2, h3, h4 { page-break-after: avoid; } } p { margin: 1em 0; } a { color: #1a1a1a; } a:visited { color: #1a1a1a; } img { max-width: 100%; } h1, h2, h3, h4, h5, h6 { margin-top: 1.4em; } h5, h6 { font-size: 1em; font-style: italic; } h6 { font-weight: normal; } ol, ul { padding-left: 1.7em; margin-top: 1em; } li > ol, li > ul { margin-top: 0; } blockquote { margin: 1em 0 1em 1.7em; padding-left: 1em; border-left: 2px solid #e6e6e6; color: #606060; } code { font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace; font-size: 85%; margin: 0; } pre { margin: 1em 0; overflow: auto; } pre code { padding: 0; overflow: visible; overflow-wrap: normal; } .sourceCode { background-color: transparent; overflow: visible; } hr { background-color: #1a1a1a; border: none; height: 1px; margin: 1em 0; } table { margin: 1em 0; border-collapse: collapse; width: 100%; overflow-x: auto; display: block; font-variant-numeric: lining-nums tabular-nums; } table caption { margin-bottom: 0.75em; } tbody { margin-top: 0.5em; border-top: 1px solid #1a1a1a; border-bottom: 1px solid #1a1a1a; } th { border-top: 1px solid #1a1a1a; padding: 0.25em 0.5em 0.25em 0.5em; } td { padding: 0.125em 0.5em 0.25em 0.5em; } header { margin-bottom: 4em; text-align: center; } #TOC li { list-style: none; } #TOC ul { padding-left: 1.3em; } #TOC > ul { padding-left: 0; } #TOC a:not(:hover) { text-decoration: none; } code{white-space: pre-wrap;} span.smallcaps{font-variant: small-caps;} span.underline{text-decoration: underline;} div.column{display: inline-block; vertical-align: top; width: 50%;} div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;} ul.task-list{list-style: none;} pre > code.sourceCode { white-space: pre; position: relative; } pre > code.sourceCode > span { display: inline-block; line-height: 1.25; } pre > code.sourceCode > span:empty { height: 1.2em; } .sourceCode { overflow: visible; } code.sourceCode > span { color: inherit; text-decoration: inherit; } div.sourceCode { margin: 1em 0; } pre.sourceCode { margin: 0; } @media screen { div.sourceCode { overflow: auto; } } @media print { pre > code.sourceCode { white-space: pre-wrap; } pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; } } pre.numberSource code { counter-reset: source-line 0; } pre.numberSource code > span { position: relative; left: -4em; counter-increment: source-line; } pre.numberSource code > span > a:first-child::before { content: counter(source-line); position: relative; left: -1em; text-align: right; vertical-align: baseline; border: none; display: inline-block; -webkit-touch-callout: none; -webkit-user-select: none; -khtml-user-select: none; -moz-user-select: none; -ms-user-select: none; user-select: none; padding: 0 4px; width: 4em; color: #aaaaaa; } pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; } div.sourceCode { } @media screen { pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; } } code span.al { color: #ff0000; font-weight: bold; } /* Alert */ code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */ code span.at { color: #7d9029; } /* Attribute */ code span.bn { color: #40a070; } /* BaseN */ code span.bu { color: #008000; } /* BuiltIn */ code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */ code span.ch { color: #4070a0; } /* Char */ code span.cn { color: #880000; } /* Constant */ code span.co { color: #60a0b0; font-style: italic; } /* Comment */ code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */ code span.do { color: #ba2121; font-style: italic; } /* Documentation */ code span.dt { color: #902000; } /* DataType */ code span.dv { color: #40a070; } /* DecVal */ code span.er { color: #ff0000; font-weight: bold; } /* Error */ code span.ex { } /* Extension */ code span.fl { color: #40a070; } /* Float */ code span.fu { color: #06287e; } /* Function */ code span.im { color: #008000; font-weight: bold; } /* Import */ code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */ code span.kw { color: #007020; font-weight: bold; } /* Keyword */ code span.op { color: #666666; } /* Operator */ code span.ot { color: #007020; } /* Other */ code span.pp { color: #bc7a00; } /* Preprocessor */ code span.sc { color: #4070a0; } /* SpecialChar */ code span.ss { color: #bb6688; } /* SpecialString */ code span.st { color: #4070a0; } /* String */ code span.va { color: #19177c; } /* Variable */ code span.vs { color: #4070a0; } /* VerbatimString */ code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */ .display.math{display: block; text-align: center; margin: 0.5rem auto;} </style> </head> <body> <h1 id="oleid">oleid</h1> oleid is a script to analyze OLE files such as MS Office documents (e.g. Word, Excel), to detect specific characteristics usually found in malicious files (e.g. malware). For example it can detect VBA macros and embedded Flash objects. It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package. <h2 id="main-features">Main Features</h2> <ul> <li>Detect OLE file type from its internal structure (e.g. MS Word, Excel, PowerPoint, …)</li> <li>Detect VBA Macros</li> <li>Detect embedded Flash objects</li> <li>Detect embedded OLE objects</li> <li>Detect MS Office encryption</li> <li>Can be used as a command-line tool</li> <li>Python API to integrate it in your applications</li> </ul> Planned improvements: <ul> <li>Extract the most important metadata fields</li> <li>Support for OpenXML files and embedded OLE files</li> <li>Generic VBA macros detection</li> <li>Detect auto-executable VBA macros</li> <li>Extended OLE file types detection</li> <li>Detect unusual OLE structures (fragmentation, unused sectors, etc)</li> <li>Options to scan multiple files</li> <li>Options to scan files from encrypted zip archives</li> <li>CSV output</li> </ul> <h2 id="usage">Usage</h2> <pre class="text"><code>oleid <file></code></pre> <h3 id="example">Example</h3> Analyzing a Word document containing a Flash object and VBA macros: <pre class="text"><code>C:\oletools>oleid word_flash_vba.doc Filename: word_flash_vba.doc +-------------------------------+-----------------------+ | Indicator | Value | +-------------------------------+-----------------------+ | OLE format | True | | Has SummaryInformation stream | True | | Application name | Microsoft Office Word | | Encrypted | False | | Word Document | True | | VBA Macros | True | | Excel Workbook | False | | PowerPoint Presentation | False | | Visio Drawing | False | | ObjectPool | True | | Flash objects | 1 | +-------------------------------+-----------------------+</code></pre> <h2 id="how-to-use-oleid-in-your-python-applications">How to use oleid in your Python applications</h2> First, import oletools.oleid, and create an OleID object to scan a file: <div class="sourceCode" id="cb3"><pre class="sourceCode python"><code class="sourceCode python"><a href="#cb3-1" aria-hidden="true" tabindex="-1"></a>import oletools.oleid <a href="#cb3-2" aria-hidden="true" tabindex="-1"></a> <a href="#cb3-3" aria-hidden="true" tabindex="-1"></a>oid = oletools.oleid.OleID(filename)</code></pre></div> Note: filename can be a filename, a file-like object, or a bytes string containing the file to be analyzed. Second, call the check() method. It returns a list of Indicator objects. Each Indicator object has the following attributes: <ul> <li>id: str, identifier for the indicator</li> <li>name: str, name to display the indicator</li> <li>description: str, long description of the indicator</li> <li>type: class of the indicator (e.g. bool, str, int)</li> <li>value: value of the indicator</li> </ul> For example, the following code displays all the indicators: <div class="sourceCode" id="cb4"><pre class="sourceCode python"><code class="sourceCode python"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a>indicators = oid.check() <a href="#cb4-2" aria-hidden="true" tabindex="-1"></a>for i in indicators: <a href="#cb4-3" aria-hidden="true" tabindex="-1"></a> print 'Indicator id=%s name="%s" type=%s value=%s' % (i.id, i.name, i.type, repr(i.value)) <a href="#cb4-4" aria-hidden="true" tabindex="-1"></a> print 'description:', i.description <a href="#cb4-5" aria-hidden="true" tabindex="-1"></a> print ''</code></pre></div> See the source code of oleid.py for more details. <hr /> <h2 id="python-oletools-documentation">python-oletools documentation</h2> <ul> <li><a href="Home.html">Home</a></li> <li><a href="License.html">License</a></li> <li><a href="Install.html">Install</a></li> <li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li> <li>Tools: <ul> <li><a href="mraptor.html">mraptor</a></li> <li><a href="msodde.html">msodde</a></li> <li><a href="olebrowse.html">olebrowse</a></li> <li><a href="oledir.html">oledir</a></li> <li><a href="oleid.html">oleid</a></li> <li><a href="olemap.html">olemap</a></li> <li><a href="olemeta.html">olemeta</a></li> <li><a href="oleobj.html">oleobj</a></li> <li><a href="oletimes.html">oletimes</a></li> <li><a href="olevba.html">olevba</a></li> <li><a href="pyxswf.html">pyxswf</a></li> <li><a href="rtfobj.html">rtfobj</a></li> </ul></li> </ul> </body> </html>